Elon Musk has been trying everything to weasel out of his $44 billion deal to buy Twitter. Though he still faces long odds of getting out of the binding merger agreement, a new whistleblower report from Twitter’s former security chief could help bolster Musk’s arguments in court.
The Washington Post and CNN reported that Peiter Zatko, known in hacking circles as “Mudge,” filed a whistleblower complaint (pdf) against Twitter with the US Securities and Exchange Commission (SEC), alleging that the company misled investors about its security practices and data about its userbase.
Zatko’s complaint isn’t related to the lawsuits between Musk and Twitter, but there’s no doubt the document will now play a role. Musk’s lawyer, Alex Spiro, said in a statement that his team has already subpoenaed Zatko. “We found [Zatko’s] exit and that of other key employees curious in light of what we have been finding,” Spiro said.
Zatko’s wide-ranging complaint makes myriad allegations about Twitter’s poor management and, in many cases, alleges that Twitter’s executives purposely misled investors, board members, and the US government. Among other things, Zatko alleges:
- Twitter CEO Parag Agrawal told Zatko not to send his concerns about Twitter’s security and userbase data to Twitter’s board of directors;
- Agrawal made him send the board false and misleading information about Twitter’s security;
- Agrawal deceived Musk when he said Twitter is incentivized to accurately detect bots and spam accounts on the platform;
- Twitter misused user data in violation of a 2011 consent decree with the US Federal Trade Commission (FTC);
- Twitter allowed that about half of employees had access to sensitive system-wide controls and perhaps most oddly,
- the Indian government forced Twitter to employ one of its agents.
In a statement, a Twitter spokesperson pushed back on Zatko’s allegations:
Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.
Musk has claimed without evidence that Twitter lied to him and government regulators about its user data. While Zatko’s claims line up almost perfectly with what Musk has alleged, the former Twitter security chief also does not back up his claims with evidence that Twitter has misrepresented its user data.
In fact, at various points in the complaint, Zatko confirms that Twitter’s monetizable daily active users (mDAU)—the user base metric at the heart of Musk’s dispute—is “more or less Twitter’s best approximation of the set of accounts that aren’t bots.”
He also said that Twitter is doing a “decent job excluding spam bots and other worthless accounts from its calculation of mDAU,” while noting he thinks that these nonhuman accounts make up a number “meaningfully higher than 5%.” But in public filings, Twitter has routinely warned that the percentage of spam in its mDAU count—237.8 million users as of the most recent fiscal quarter—could be higher than 5%.
“The purported whistleblower’s assertions [about] bots are only likely to have an impact on the Musk/Twitter case if they have factual substance,” David Lurie, a securities litigator in New York, told Quartz. “On initial review, it does not appear there is much there.”
Despite the lack of hard evidence, Zatko’s complaint could open new doors for Musk’s attorneys once the trial begins on Oct. 17.
Not only did Musk sign an agreement to buy Twitter for $44 billion, but he signed a specific-performance clause, which means a judge can do more than merely force Musk to pay civil damages: She can force Musk to complete the takeover. In order for Musk to get out of the deal, he would likely have to demonstrate that a material adverse change has occurred. That would mean some new information has emerged, which was not known at the time of the agreement, that severely jeopardizes Musk’s ability to run Twitter moving forward. It’s a very high legal standard to meet.
Ann Lipton, a professor at Tulane University School of Law, said that the whistleblower complaint gives Musk “more ammunition for a longshot claim of fraud.” Still, Musk would have to demonstrate that Twitter executives intentionally ignored real material risks to the company. “I am not a tech person so it’s hard to gauge how powerful the claims are but as a lawyer, it’s easy to read this as simply an employee who disagreed with management’s judgment,” she said.
The new revelations about system security and data privacy shortcomings could be a potential “lottery ticket,” Boston College Law School professor Brian Quinn told Quartz. While Quinn acknowledges that Musk has never talked about security vulnerabilities as a reason why he wants out of the deal, but if the allegations are true and Musk can “present evidence that the board has not adequately disclosed its security vulnerabilities then Musk has something to play with in court.”
University of Michigan Law School professor Adam Pritchard agreed. “Allegations of concealment are a very common grounding for a fraud claim,” Pritchard wrote in an email to Quartz. “In this situation it gives Musk an opening to argue that even with due diligence, he wouldn’t have uncovered the issue. That makes it easier for him to argue that it is a material adverse change rather than a topic he waived when he waived due diligence. As always, it is all about negotiating leverage, and this gives Musk a bit more leverage.”